{{- define "coredns_resources" }}
cpu: 25m
memory: 40Mi
{{- end }}
{{- define "iptables_loop_resources" }}
cpu: 10m
memory: 15Mi
{{- end }}

{{- if (.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
---
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: {{ .Chart.Name }}
  namespace: kube-system
  {{- include "helm_lib_module_labels" (list . (dict "app" "node-local-dns" "workload-resource-policy.deckhouse.io" "every-node")) | nindent 2 }}
spec:
  targetRef:
    apiVersion: apps/v1
    kind: DaemonSet
    name: node-local-dns
  updatePolicy:
    updateMode: "Initial"
  resourcePolicy:
    containerPolicies:
    - containerName: coredns
      minAllowed:
        {{- include "coredns_resources" . | nindent 8 }}
      maxAllowed:
        cpu: 50m
        memory: 50Mi
    - containerName: iptables-loop
      minAllowed:
        {{- include "iptables_loop_resources" . | nindent 8 }}
      maxAllowed:
        cpu: 20m
        memory: 15Mi
    {{- include "helm_lib_vpa_kube_rbac_proxy_resources" . | nindent 4 }}
{{- end }}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: node-local-dns
  namespace: kube-system
  {{- include "helm_lib_module_labels" (list . (dict "app" "node-local-dns")) | nindent 2 }}
spec:
  selector:
    matchLabels:
      app: node-local-dns
  template:
    metadata:
      labels:
        app: node-local-dns
        k8s-app: node-local-dns # added for compatibility with cilium connectivity tests
    spec:
      {{- include "helm_lib_priority_class" (tuple . "cluster-medium") | nindent 6 }}
      {{- include "helm_lib_tolerations" (tuple . "any-node") | nindent 6 }}
      {{- include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . | nindent 6 }}
{{- if not (.Values.global.enabledModules | has "cni-cilium" )}}
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
{{- end }}
      serviceAccountName: d8-node-local-dns
{{- if (.Values.global.enabledModules | has "cni-cilium") }}
      initContainers:
      {{- include "helm_lib_module_init_container_check_linux_kernel" (tuple . ">= 5.7") | nindent 6 }}
{{- end }}
      containers:
      - name: coredns
        {{- /*
          UID: 0 GID:0 using for privilege access for iptables because using hostNetwork
        */}}
        securityContext:
          allowPrivilegeEscalation: true
          capabilities:
            add:
            - DAC_OVERRIDE
            - NET_RAW
            - NET_ADMIN
            - NET_BIND_SERVICE
            drop:
            - ALL
          runAsGroup: 0
          runAsNonRoot: false
          runAsUser: 0
        image: {{ include "helm_lib_module_image" (list . "coredns") }}
        command: ["/bin/bash", "-l", "-c", "/start.sh"]
        env:
        - name: KUBE_CLUSTER_DOMAIN
          value: {{ .Values.global.discovery.clusterDomain | quote }}
        - name: KUBE_DNS_SVC_IP
          value: {{ .Values.global.discovery.clusterDNSAddress | quote }}
{{- if not (.Values.global.enabledModules | has "cni-cilium") }}
        - name: SHOULD_SETUP_IPTABLES
          value: "yes"
{{- end }}
        ports:
        - containerPort: 53
          name: dns
          protocol: UDP
        - containerPort: 53
          name: dns-tcp
          protocol: TCP
        livenessProbe:
{{- if (.Values.global.enabledModules | has "cni-cilium") }}
          httpGet:
            path: /health
            port: 9225
{{- else }}
          exec:
            command:
            - /liveness.sh
          periodSeconds: 20
          timeoutSeconds: 7
{{- end }}
        readinessProbe:
{{- if (.Values.global.enabledModules | has "cni-cilium") }}
          httpGet:
            path: /health
            port: 9225
{{- else }}
          exec:
            command:
            - /readiness.sh
{{- end }}
          periodSeconds: 5
          timeoutSeconds: 7
        volumeMounts:
        - mountPath: /run/xtables.lock
          name: xtables-lock
          readOnly: false
        - name: coredns-config
          mountPath: /etc/coredns
        - name: tmp
          mountPath: /tmp
        resources:
          requests:
            {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }}
{{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
            {{- include "coredns_resources" . | nindent 12 }}
{{- end }}
{{- if not (.Values.global.enabledModules | has "cni-cilium" )}}
      - name: iptables-loop
        {{- /*
          UID: 0 GID:0 using for privilege access for iptables because using hostNetwork
        */}}
        securityContext:
          allowPrivilegeEscalation: true
          capabilities:
            add:
            - DAC_OVERRIDE
            - NET_RAW
            - NET_ADMIN
            - NET_BIND_SERVICE
            drop:
            - ALL
          runAsGroup: 0
          runAsNonRoot: false
          runAsUser: 0
        image: {{ include "helm_lib_module_image" (list . "iptablesLoop") }}
        env:
        - name: KUBE_DNS_SVC_IP
          value: {{ .Values.global.discovery.clusterDNSAddress | quote }}
        volumeMounts:
        - mountPath: /run/xtables.lock
          name: xtables-lock
          readOnly: false
        - name: tmp
          mountPath: /tmp
        resources:
          requests:
            {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }}
  {{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
            {{- include "iptables_loop_resources" . | nindent 12 }}
  {{- end }}
{{- end }}
      - name: kube-rbac-proxy
        {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . | nindent 8 }}
        image: {{ include "helm_lib_module_common_image" (list . "kubeRbacProxy") }}
        args:
        - "--secure-listen-address=$(KUBE_RBAC_PROXY_LISTEN_ADDRESS):9254"
        - "--v=2"
        - "--logtostderr=true"
        - "--stale-cache-interval=1h30m"
        env:
        - name: KUBE_RBAC_PROXY_LISTEN_ADDRESS
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        - name: KUBE_RBAC_PROXY_CONFIG
          value: |
            upstreams:
            - upstream: http://127.0.0.1:9254/metrics
              path: /metrics
              authorization:
                resourceAttributes:
                  namespace: kube-system
                  apiGroup: apps
                  apiVersion: v1
                  resource: daemonsets
                  subresource: prometheus-metrics
                  name: node-local-dns
        ports:
        - containerPort: 9254
          name: https-metrics
        resources:
          requests:
            {{- include "helm_lib_module_ephemeral_storage_only_logs" . | nindent 12 }}
{{- if not ( .Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
            {{- include "helm_lib_container_kube_rbac_proxy_resources" . | nindent 12 }}
{{- end }}
      volumes:
      - name: xtables-lock
        hostPath:
          path: /run/xtables.lock
          type: FileOrCreate
      - name: coredns-config
        configMap:
          name: node-local-dns
      - name: tmp
        emptyDir: {}
      imagePullSecrets:
      - name: deckhouse-registry
